2
Healthcare Breaches HHS new reporting rules have increased breach visibility. HITECH mandates public posting of breaches involving more than 500 people. Over 100 announcements by the first anniversary (sept 2010).

4
Theoretical Background (1) Investment for performance improvement from defects or external mandates in organizational learning for performance improvement Organizational learning from the investments Whether defects trigger or not (Ittner et al. 2001, Management Science) Learning is a function of both proactive investments and autonomous learning-by-doing rather than a function of reactive investments alone

5
Theoretical Background (2) Interaction with external mandates Public attention can make organizations focus on the problem area. Voluntary recalls result in more learning than involuntary recalls The effects of voluntary and involuntary recalls on subsequent recall rates (Haunschild et al. 2004, Management Science) Organizational learning in security investments

6
Research Questions How do proactive and reactive investments work for security improvement? How do external regulatory pressures impact security performance? Are there social incentives for security investments?

11
Endogeneity Endogeneity of Security Investment Those who proactively invest might have better security processes, management, or technological expertise than those who do not. Two-step econometric procedure (Heckman 1979) Endogenous Adoption of Regulation Due to a sudden rise in breaches Two-sample t-test (p-value > 0.1) the numbers of breaches in states before adoption of new regulation and in states without adoption. Proactive or Reactive Investment Hazard Rate(h(t)) tt-1 Time line Breach or the end of the time line

14
Results Proactive investments are more effective at reducing security failures than reactive investments. When proactive investments were forced by an external requirement, the effect of proactive investment is diminished. Both proactive and reactive security investments have positive externalities. one organization's security investments help the others

15
Implications The regulatory value of carrot vs. stick Due to positive externalities, incentives could be earmarked to boost investment in security. Regulatory requirements should not be prescriptive For example, regulation could mandate that a portion of the overall IT budget be dedicated to security, allowing organizations to decide on the types of security investment.

16
Further and Future Work External & Internal Failures Results: external breaches have a significant association with security investment, whereas internal breaches have no effect. Why? Our investment data is focused on external threats. Greater concern about a problem leads to more effort to resolve it. Future Work Examine security policies and training programs. Consider the momentary size of security investments. Consider the severity of breaches.